EVOLUTION: NEW ANNEX 11 SUPPORTS RISK-BASED APPROACH

   

GMP/GDP – On Demand Online Training

You can book the desired online training from our extensive database at any time. Click below for more information.

   

Stay informed with the GMP Newsletters from ECA

The ECA offers various free of charge GMP newsletters  for which you can subscribe to according to your needs.

After a three year long waiting time, the new Annex 11 to the European GMP has been released on 12th January 2011. This document comes within the continuity of the first version by covering more exhaustively the system life cycle. As a major evolution, based on ICH Q9 principles, this document takes into account and focuses on a risk-based approach.

A 20 years experience background

The genesis of this revision of Annex 11 should probably be found in the elaboration work for the PIC/S Guide PI 011. Indeed, the purpose of this Guide, released in 2003 - i.e. around 10 years after the first version of Annex 11 - is to provide recommendations to the inspectors - and consequently to the regulated user1 and its suppliers - for reviewing the implementation of Annex 11. Between 1992 and 2003, the use of computerised systems experiences a dramatic increase. At the same time, the industry developed various approaches for fulfilling regulatory expectations as good as possible.

Main evolutions

The draft released in 2008 had to face numerous comments provided by the pharmaceutical industry and its suppliers. Finally, the 2011 version of Annex 11 gets back to and develops the topics addressed in the previous version.

  • The necessity of mastering the life cycle - from the requirement until the retirement phase - is now an explicit requirement. This principle has been extended to the control of processes.
  • One of the major evolutions is that IT infrastructures supporting regulated systems have to be "qualified", i.e. such IT infrastructures have to be kept under control trough the life cycle of the supported systems. As such, this requirement is not really new since it was widely implicit in the previous version of Annex 11 but mainly explicit in PIC/S Guide PI 011, §17.3.
  • It is also stipulated that internal IT organisations as well as external service providers have to be considered in the same way. This concerns in particular the needs for formal service respective operation level agreements defining the operational conditions of supported applications and systems.
  • The key-principles of a science-based risk management derive directly from ICH Q92 focused on data integrity, patient safety, and product quality. Supplier management and service provider management rely on such consistent risk management as well. Although such requirements were not mentioned in the previous version of Annex 11, they were already part of PI 011.
  • Different roles such as system owner and process owner are now clearly identified as major compliance actors. Even if the definition of these roles is less detailed than described in GAMP® 5**, the stipulated responsibilities are essential.
  • Within the framework of a risk-based compliance approach, supplier effort could be significantly leveraged as long as the supplier has been consistently assessed.
  • For this reason, it is expected that "quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request". [A11:3.4]
  • The section about the validation phase has been significantly improved.
  • The need to maintain an up-to-date system inventory - already mentioned in Annex 15 and promoted in PI 011 - is now emphasised in Annex 11.
  • The necessity to ensure a systematic requirement traceability throughout the life cycle is now clearly required. Additionally it is expected that this traceability is based on a documented risk assessment and GxP impact.
  • For critical systems, it is expected that a system description showing the system configuration, data flows, and security measures is available.
  • It is expected that the regulated user is able to provide evidence of the pertinence of test methods and that test scenarios could be demonstrated. Additionally, automated testing becomes acceptable as long as the adequacy of testing tools and test environments is documented.
    -> Since automated testing tools could fit into the GAMP® Software Category 1, one of the ways for keeping such tools under control could be to apply recommendation and approach promoted by the GAMP® Good Practice Guide on "IT Infrastructure Control and Compliance".
  • Then data have to be converted in another format or transferred between two systems, it is necessary to validate such conversion or transfer and to include data verification in terms of value and meaning.
  • The electronic signature is now officially recognised without becoming mandatory.
  • The requirements regarding the operational phase are mostly based on good business and operation practices. Such requirements have been already widely mentioned in the previous version of Annex 11, however some of them have been established with more details in the new version.
  • The operational requirements cover:
    -> Data and accuracy checks
    -> Data Storage
    -> Printouts
    -> Audit trails
    -> Change and configuration management
    -> Security
    -> Incident management
    -> Business continuity
    -> Archiving
  • Additionally to Annex 15 clauses 23 and 45 - establishing since 2001 the need for a formal periodic evaluation - the new Annex 11 repeats explicitly this requirement applying it to computerised systems.
SMART AAV Analytical Method Toolbox - Live Online Training

Recommendation

Thursday, 6 February 2025 9 .00 - 15.30 h

SMART AAV Analytical Method Toolbox - Live Online Training

Consequences

Without representing a revolution, this new version of Annex 11 has some implications, e.g.:
1. Compliance decisions based on results of risk management activities have to be justified. This expectation - already mentioned in PI 011 - is now becoming a mandatory regulatory expectation. This implies that risk management activities must be conducted consistently and rigorously.
2. T he condition for leveraging supplier involvement is to put in place rigorous processes regarding supplier evaluation and selection as well as supplier management. At the same time, some transparency to inspector is expected (and necessary), see clause 3.4. F or critical systems, the need for a stand-alone detailed description - not only embedded in the Validation Plan or in the URS - as described in the previous version of Annex 11 is confirmed. It is to notice that such document can be easily prepared based on the recommendations provided in GAMP® 5, Annex D6.
3. The yearly revision of Validation Master Plans (VMP) offers an excellent opportunity for reviewing and maintaining the system inventory up-to-date.
4. The supporting processes to the operational phase - already mentioned in the previous version of Annex 11 - are clearly stated. Additionally the requirement to evaluate periodically the compliance state of the systems enforces the importance of the operational supporting processes.

Annex 11 vs. 21 CFR 11: Differences and Similarities

Annex 11 and 21 CFR 11 have different positions within their respective regulatory contexts. Indeed, while 21 CFR 11 discusses only the implementation of electronic records and electronic signatures within the GxP scope as defined in the predicate rules, Annex 11 is focused on the use of computerised systems in GMP environments.

Therefore the main requirements related to system life cycle (until system retirement), supplier management, as well as to qualification and validation activities as defined in Annex 11 could be summarised in 21 CFR 11 by the paragraph 11.10(a) which stipulates that the validation of computerised systems is the necessary and unavoidable requirement for establishing electronic compliance. Additionally the revised Chapter 4 about documentation is much more detailed and prescriptive than 21 CFR 11.

The electronic signature manifestation is not explicitly identical in both texts. 21 CFR 11 requires the signature meaning as part of the signature. Annex 11 does require it implicitly since signature meaning is in all cases a requirement for GxP documentation as stated in Chapters 1 and 4. However, excepted for batch release - which is specifically discussed in Annex 11 - the impact of electronic signatures as equivalent to hand-written signatures is limited to the boundary of the company3. Within a different legal context as in the European Union (see 1999/93/EC and 2000/31/EC), 21 CFR 11 establishes electronic signatures as "legally binding equivalent" to hand-written signatures.

Nevertheless both texts lay down the principle of an immutable link between the signature and the signed record as an essential and unavoidable compliance requirement.

Annex 11 does not require that organisations submit to the Agency a declaration regarding the use of electronic signature for GxP activities. Likewise Annex 11 does not require that persons using electronic signature have to provide a specific certification regarding the use of such signature.

Convergence and future developments

This revision of Annex 11 - including Chapter 4 of European GMP - results from an iterative process along two decades, see Figure 1.

Based on a continuous and valuable experience sharing between regulators and industry, this process allows to define a demanding but consistent approach to electronic compliance commensurate to the criticality of the concerned processes. The convergence between regulatory requirements and industry recommendations such as provided by GAMP® establishes a stable regulatory basement allowing the pharmaceutical industry and its suppliers to define a cost-effective and efficient approach to compliance.

Virus Safety - Best Practices and Emerging Trends

Recommendation

Vienna, Austria18/19 February 2025

Virus Safety - Best Practices and Emerging Trends

The next version of the PIC/S Guide PI 011 should give the opportunity to the regulators to precise and to clarify the impact and the extent of some requirements as well as the expected level of implementation detail. Regarding the draft for comment published in 2008, the new revision of Annex 11 as released in January 2011 represents both a return to the roots as well as a significant evolution in terms of compliance maturity.

Author:
Yves Samson
... is founder and Director of the consulting firm Kereon AG located in Basle, Switzerland. He has been in computerized system validation since 1992. He is the editor of the French Version of GAMP® 4 and GAMP® 5 and he translated the PIC/S Guide PI 011 into French. He is the co-founder and chair of GAMP Francophone. He is an active member of the ISPE IT infrastructure SIG and member of the French affiliate board.

Source:
1 see PI 011, note 1
2 Within the European GMP, ICH Q9 has been initially established as Annex 20. Since February 2011, this document - as well as ICH Q10 - has been released as part of European GMP Part III.
3 The wording of this requirement is particularly important since it gives a more limited and more pragmatic definition of the electronic signature than settled in the European Directives 1999/93/EC and 2000/31/EC.

Go back

To-Top
To-Bottom